3

I installed a ASP.Net website on a Windows 2008 server, which is by default using IIS7. The website seems to work fine, but the post backs on my forms do not work. After a few hours of debugging, I realized that when I manually try to hit the WebResource.axd file in my browser (e.g. I type http://www.domain.com/WebResource.axd in the address bar), I get a HTTP 403 error (Access Denied).

I'm not quite sure where to look next and my Windows 2008 security knowledge is limited. How do I go about giving access to that file?

Eric Barr
  • 3,999
  • 5
  • 29
  • 42
user2013
  • 9,231
  • 5
  • 21
  • 8
  • In my case the issue seems to be that the asp.net worker account is missing whatever permission this operation needs. When I moved the assembly from the bin to the GAC, it started working. – xr280xr Oct 03 '13 at 17:58

7 Answers7

11

If you are using plesk panel or Web Application Firewall (ModSecurity) is active, disable "OWASP_CRS / LEAKAGE / ERRORS_IIS" and "OWASP_CRS / POLICY / EXT_RESTRICTED" security rules.

suha.kesikbas
  • 189
  • 1
  • 4
  • 1
    Hey, Thank you! After searching for hours your solution worked! I disabled OWASP_CRS and then everything was fine! THANK YOU!! – jones Nov 10 '20 at 19:55
  • 1
    if you're on a PLESK hosting, then this is what you want! thank you @suha_kskbs !! – Rodney Ellis Dec 28 '20 at 05:50
  • 1
    Hi, I have iis and plesk. Disabled owasp_crs and works perfect. Thanks – Cesar BA Apr 06 '21 at 14:48
  • 1
    Thanks, this also solved this issue for me "Uncaught ReferenceError: Sys is not defined" and "Uncaught ReferenceError: WebForm_DoPostBackWithOptions is not defined at :1:1" – Pablo V Aug 13 '22 at 15:52
  • 1
    Fantastic! Worked for application running on Plesk running OWASP on IIS (ModSecurity 2.9) – navigator Sep 01 '22 at 10:24
  • 1
    Fantastic, its works ok for me – Cesar BA Nov 10 '22 at 12:17
  • 1
    Thanks! Was using Plesk and facing the same issue. Disabled the OWASP_CRS and RESOLVED! Here is how to disable OWASP_CRS in plesk. Link: https://support.plesk.com/hc/en-us/articles/115002531753-How-to-disable-specific-ModSecurity-rules-in-Plesk – Manjunath Bilwar Mar 29 '23 at 17:31
2

Navigate to your iis config folder. Typically: c:\windows\system32\inetsrv\config and open applicationHost.config file. Then within file navigate to the <handlers> section and check that following line is present:

<add name="AssemblyResourceLoader-Integrated" path="WebResource.axd" verb="GET,DEBUG" type="System.Web.Handlers.AssemblyResourceLoader" preCondition="integratedMode" />

That is if you're running in integrated mode. Check that verb GET is specified.

If you are running in classic pipeline mode that this line should be present

<add name="AXD-ISAPI-2.0" path="*.axd" verb="GET,HEAD,POST,DEBUG" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v2.0.50727\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv2.0,bitness32" responseBufferLimit="0" />

If everything seems to be ok than look at your web.config in Handlers and Modules section and see if you have added <clear /> on the top of each. If you did then you have include add section in your web.config file respecting the order in of the handlers/modules specified in applicationHosting.config file.

Enes
  • 3,951
  • 3
  • 25
  • 23
2

For hosting companies that have Plesk control panel, you can turn off the Web Application Firewall (WAF), but since purpose of WAF is to help protect your website from various attacks you should only deactivate the specific Rule IDs that are causing the issue. In my case, I needed to allow .axd files on my website (eg, Scriptresource.axd and WebResource.axd).

  1. Identify this specific Rule ID that is being violated by opening the "ModSecurity Logfile" on the Plesk WAF page.

  2. Search for the 403 Access Denied message in the logfile and then look for a substring that looks like [id "942440"]. This is the rule ID that is being violated.

  3. Switch off the "Security Rule" that applies to this issue, by typing the ID number in the "Switch off Security Rules" section on the Plesk WAF page. In this example, you would type just the numbers "920440" inside the text box.

enter image description here

Jeff
  • 1,362
  • 14
  • 17
1

Not sure on that one, but it may be related to http compression in IIS. Also check that the file is accessible to the IIS User.

Turnkey
  • 9,266
  • 3
  • 27
  • 36
0

Check your IIS logs - they should give a status code that has more detailed information about the error. Also, what is the nature of the error on the postback?

Turnkey
  • 9,266
  • 3
  • 27
  • 36
0

This is the error that I'm getting when doing a Postback:

WebForm_PostBackOptions is undefined.

To my knowledge that function is contained inside the WebResource.axd file, which led me to try it in the address bar, which how I know about the 403 error...

user2013
  • 9,231
  • 5
  • 21
  • 8
0

There is a issue in Firewall setting. Request is blocked in Firewall. contact server admin to change configuration. We got solution.

user13020134
  • 1